c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05

Analysis

max time kernel
186s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 13:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe
Size

1.2MB
MD5

961267ff4fb15c0faa9596b3cc7a6369
SHA1

9b9ea3b7336754d0938398091580a41499a31319
SHA256

c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05
SHA512

c1ba45d55fabafc5b9a348038e474677a52efbd000c900f47dcfbfd552b82894c0dc872fdf3b6abe0f799a861e4d936e7679827d18bb26fc7e5c25fc0a43c2e2
SSDEEP

24576:69WC988bu6CoKrbkz82LErXZK8mLE4VqaqKXqSM0s34Vx1:6B88TCoo4z820XY8mdxXHQy3

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e27-140.dat	acprotect
behavioral2/files/0x0006000000022e28-141.dat	acprotect
behavioral2/files/0x0006000000022e28-142.dat	acprotect
behavioral2/files/0x0006000000022e28-143.dat	acprotect
behavioral2/files/0x0006000000022e28-144.dat	acprotect
behavioral2/memory/5024-147-0x0000000074200000-0x000000007420A000-memory.dmp	acprotect
behavioral2/memory/5024-157-0x0000000074200000-0x000000007420A000-memory.dmp	acprotect

Executes dropped EXE 1 IoCs

pid	Process
5024	ec55Installer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e27-140.dat	upx
behavioral2/files/0x0006000000022e28-141.dat	upx
behavioral2/files/0x0006000000022e28-142.dat	upx
behavioral2/files/0x0006000000022e28-143.dat	upx
behavioral2/files/0x0006000000022e28-144.dat	upx
behavioral2/memory/5024-147-0x0000000074200000-0x000000007420A000-memory.dmp	upx
behavioral2/memory/5024-157-0x0000000074200000-0x000000007420A000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe

Loads dropped DLL 14 IoCs

pid	Process
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe
5024	ec55Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000022e10-133.dat	nsis_installer_1
behavioral2/files/0x0007000000022e10-133.dat	nsis_installer_2
behavioral2/files/0x0007000000022e10-134.dat	nsis_installer_1
behavioral2/files/0x0007000000022e10-134.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1272	c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe
1272	c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5024	ec55Installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 5024	1272	c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe	80
PID 1272 wrote to memory of 5024	1272	c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe	80
PID 1272 wrote to memory of 5024	1272	c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe	80

C:\Users\Admin\AppData\Local\Temp\c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe
"C:\Users\Admin\AppData\Local\Temp\c003660d5c9a6073d14d3ffb09aa315b1e8ffe1aea7afbd7628320710a7bcf05.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\temp\ec55Installer.exe
  "C:\Users\Admin\AppData\Local\temp\ec55Installer.exe" /KEYWORD=ec55 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec55Installer.exe

Filesize
808KB

MD5
26203d9c7822dc99464204ee35be7f16

SHA1
543438bb6f176412a63d2c1fd4077ad2b1b307bd

SHA256
76a24e095ba755b1edcc5f0bd4818076432154ed4af7a4cded5eed9967faa255

SHA512
dff0dccc13df842c54012b893ca2f3aafb7daa2b6182aaa72251d39eb7fe425ce81f9c3c20f1165579d3482f9fa468f604c0272518a7f82b1b62e47d8b4433ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\ToolkitOffers.dll

Filesize
245KB

MD5
3c6a9490f32cf8aca12252188874dade

SHA1
4df69fe59c10f2cd6de472e5fc05eed5a489998b

SHA256
89ebab8d0675d7b79a3d0a455ec55d0b87aa0804cfd092e30f3d1142f0ce1109

SHA512
e8ce3378bb4cfb95cbe5ea0ad83fbf8e129cdfa0e724346b789c3f43c76b8a81d85b1c1b1c1c3fe7de0bf2b00e3c8fe485b2d784d8bbaf2221faa2ce20aa6be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\ToolkitOffers.dll

Filesize
245KB

MD5
3c6a9490f32cf8aca12252188874dade

SHA1
4df69fe59c10f2cd6de472e5fc05eed5a489998b

SHA256
89ebab8d0675d7b79a3d0a455ec55d0b87aa0804cfd092e30f3d1142f0ce1109

SHA512
e8ce3378bb4cfb95cbe5ea0ad83fbf8e129cdfa0e724346b789c3f43c76b8a81d85b1c1b1c1c3fe7de0bf2b00e3c8fe485b2d784d8bbaf2221faa2ce20aa6be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\ToolkitOffers.dll

Filesize
245KB

MD5
3c6a9490f32cf8aca12252188874dade

SHA1
4df69fe59c10f2cd6de472e5fc05eed5a489998b

SHA256
89ebab8d0675d7b79a3d0a455ec55d0b87aa0804cfd092e30f3d1142f0ce1109

SHA512
e8ce3378bb4cfb95cbe5ea0ad83fbf8e129cdfa0e724346b789c3f43c76b8a81d85b1c1b1c1c3fe7de0bf2b00e3c8fe485b2d784d8bbaf2221faa2ce20aa6be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\ToolkitOffers.dll

Filesize
245KB

MD5
3c6a9490f32cf8aca12252188874dade

SHA1
4df69fe59c10f2cd6de472e5fc05eed5a489998b

SHA256
89ebab8d0675d7b79a3d0a455ec55d0b87aa0804cfd092e30f3d1142f0ce1109

SHA512
e8ce3378bb4cfb95cbe5ea0ad83fbf8e129cdfa0e724346b789c3f43c76b8a81d85b1c1b1c1c3fe7de0bf2b00e3c8fe485b2d784d8bbaf2221faa2ce20aa6be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\ToolkitOffers.dll

Filesize
245KB

MD5
3c6a9490f32cf8aca12252188874dade

SHA1
4df69fe59c10f2cd6de472e5fc05eed5a489998b

SHA256
89ebab8d0675d7b79a3d0a455ec55d0b87aa0804cfd092e30f3d1142f0ce1109

SHA512
e8ce3378bb4cfb95cbe5ea0ad83fbf8e129cdfa0e724346b789c3f43c76b8a81d85b1c1b1c1c3fe7de0bf2b00e3c8fe485b2d784d8bbaf2221faa2ce20aa6be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2396.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
C:\Users\Admin\AppData\Local\temp\ec55Installer.exe

Filesize
808KB

MD5
26203d9c7822dc99464204ee35be7f16

SHA1
543438bb6f176412a63d2c1fd4077ad2b1b307bd

SHA256
76a24e095ba755b1edcc5f0bd4818076432154ed4af7a4cded5eed9967faa255

SHA512
dff0dccc13df842c54012b893ca2f3aafb7daa2b6182aaa72251d39eb7fe425ce81f9c3c20f1165579d3482f9fa468f604c0272518a7f82b1b62e47d8b4433ff

Download Submit
C:\Users\Admin\AppData\Local\temp\ec55fondo.bmp

Filesize
206KB

MD5
a2e55addab424dde6b7bbf5cc9380d11

SHA1
35c8c557a1a40aed468e31088e77a49ab54e4d0a

SHA256
4dd825b3655dc266cfc6d4b612b368136d43cc2dff8737204f4cfa086c7995a9

SHA512
0781aed737cbd9c8511721d64db47390cf6242a2cb8fd76646a57361d5496c8a87f396e30fa70cab8d6b0150184aa5b27d9163a76fbbb9f4538aaa3dc002c09e

Download Submit
C:\Users\Admin\AppData\Local\temp\ec55header.bmp

Filesize
25KB

MD5
e5306ec2d3a31101c1a5437a26f7406b

SHA1
ca9310bfefd1a99a75f81daf723bd0c20afe51f7

SHA256
5d6fb3c0409d61e32486546e70d3b492666984aba26d547b58d48f5f5bb10091

SHA512
a62680a29ee83431078ccc8a1421f29a714495aab102fad7752f0606db6c54211e839251fcb6d27081701483caf6ea54b60d26b1162940b783346271253387ca

Download Submit
C:\Users\Admin\AppData\Local\temp\ec55installer.ini

Filesize
602B

MD5
dcfa3bb9c13955882fff6d0a5ea23b09

SHA1
8535eb713bd65340f8e351296da1bfeded5bbb10

SHA256
caa36b92bce3e68e20dbc352179aeccb78aa58c8e47e734e78e3b5600863feed

SHA512
bc7d9d0405428d8ad97005849a46201a86f75f279df9fa128fb073d91df1c6a1eaf8e63e5437df5266ed42da2030b30feb2fdf64c5a783a98522c998f3e163fe

Download Submit
memory/5024-149-0x00000000037F0000-0x00000000037FC000-memory.dmp

Filesize
48KB

Download
memory/5024-150-0x00000000037F0000-0x00000000037FC000-memory.dmp

Filesize
48KB

Download
memory/5024-148-0x00000000037F0000-0x00000000037FC000-memory.dmp

Filesize
48KB

Download
memory/5024-154-0x00000000037F1000-0x00000000037F3000-memory.dmp

Filesize
8KB

Download
memory/5024-147-0x0000000074200000-0x000000007420A000-memory.dmp

Filesize
40KB

Download
memory/5024-157-0x0000000074200000-0x000000007420A000-memory.dmp

Filesize
40KB

Download
memory/5024-158-0x00000000037F0000-0x00000000037FC000-memory.dmp

Filesize
48KB

Download
memory/5024-159-0x00000000037F0000-0x00000000037FC000-memory.dmp

Filesize
48KB

Download